If I encrypt a message with AES-GCM, is it safe to use the MAC as the hash in a DSA/RSA signature? That is, if someone knows the AES key and nonce, will they be able to generate a different message with the same key/nonce that results in the same MAC?

1 Answer
1

Well, no, it is not safe to use a GCM authentication tag as a hash. If you know the key, it is straight-forward to find preimages; that is, find a message that hashes to a specific target value. Note that you asked for second preimage resistance; not only does it fail to provide that, it fails to provide the weaker preimage resistance.

CCM and OCB have exactly the same property; in all three cases, the authentication tags were designed to act as Message Authentication Codes, not Cryptographical Hashes; note that these are two different concepts. In particular, a Message Authentication Code is supposed to prevent someone who doesn't know the key from creating valid tag values; nothing in the definition says it has any security properties against someone who does know the key (and, again, in the case of GCM/CCM/OCB, they don't).

In fact, they fail to provide preimage resistance in this strong sense; if you are given the target tag value, keys, the nonce and a message template that specifies the entire message except for an aligned 128 bit region, with GCM, CCM or OCB, you can compute what value that aligned 128 bit region must be in order for the tag to be a specified target value.

I'm leaving out authenticated stream ciphers from this discussion; I haven't examined all of them, and so I can't make a blanket statement of them. I would be personally doubtful, though; unless something was designed specifically to be collision resistant, more than likely it won't be.